[GKCTF2020] Sign in for cve version
Test site: cve-2020-7066 and the exploitation of vulnerabilities.
Vulnerability principle:
In PHP version 7.2.x lower than 7.2.29, 7.3.x lower than 7.3.16, and 7.4.x lower than 7.4.4, when using get_headers() with the URL provided by the user, if the URL contains Zero (\0) characters, the URL will be silently truncated. This may cause some software to make wrong assumptions about the target of get_headers() and may send some information to the wrong server.
get_headers() returns an array containing the headers sent by the server in response to the HTTP request. Example:
<?php
$url = 'http://www.example.com';
print_r(get_headers($url));
print_r(get_headers($url, 1));
?>
Output result:
Array
(
[0] => HTTP/1.1 200 OK
[1] => Date: Sat, 29 May 2004 12:28:13 GMT
[2] => Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
[3] => Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
[4] => ETag: "3f80f-1b6-3e1cb03b"
[5] => Accept-Ranges: bytes
[6] => Content-Length: 438
[7] => Connection: close
[8] => Content-Type: text/html
)
Array
(
[0] => HTTP/1.1 200 OK
[Date] => Sat, 29 May 2004 12:28:14 GMT
[Server] => Apache/1.3.27 (Unix) (Red-Hat/Linux)
[Last-Modified] => Wed, 08 Jan 2003 23:11:55 GMT
[ETag] => "3f80f-1b6-3e1cb03b"
[Accept-Ranges] => bytes
[Content-Length] => 438
[Connection] => close
[Content-Type] => text/html
)
In the title, f12 can see: The
flag is locally, which is 127.0.0.1.
Then cut through %00, because it ends with .ctfhub.com:
Get:
end with 123:
So construct:
?url=http://127.0.0.123%00.ctfhub.com
Get the flag.
Summary: The combination of SSRF and CVE is truncated by %00.